{{Header}}
{{Title|
title=Read-Only: Setting Hard Drives to Read-Only
}}
{{#seo:
|description=When using live mode, no changes are made to the disk. For added security, consider setting your disk to read-only mode, if possible.
|image=whonixlive.jpg
}}
{{live}}
{{grub-live}}
[[File:whonixlive.jpg|250px|thumb]]
{{intro|
Depending on the user's use case. Choose one.

* '''A)''' ISO users installing {{project_name_short}}: Using the [[ISO]] just to install {{project_name_short}}? This does not matter. The user can ignore any live mode related warnings. These are not applicable.
* '''B)''' Interested in live mode? See below.

When using [[Live Mode|live mode]] ([[grub-live]] or [[ISO]] live), no changes are made to the disk. For added security, consider setting your disk to read-only mode, <u>if possible</u>.

Sometimes it possible to optionally set the disks to read-only. This increases the security of live mode, because otherwise malware running as root could theoretically mount the image read-write and gain persistence in this way.
}}
= Introduction =
The emphasis is on <u>if possible</u>.

This is platform specific.

Unfortunately, read-only mode is not easily available on all platforms.

= VMs =
== VirtualBox ==
Step-by-step guide on implementing the Immutable Disk Method for Virtual Machine (VM) Live Mode in VirtualBox, focusing on secure, read-only VM configurations.

This option is the official method for setting VMs to read-only in VirtualBox. It will only work with the <code>grub-live</code> package, which is installed by default. <ref>
This option will not work with the <code>ro-mode-init</code> package.
</ref>

{{Box|text=
'''1.''' Make the [[VirtualBox]] disk immutable / read-only.

This step is crucial. Otherwise, contents might be recoverable from the host drive. <ref>
VirtualBox implements hard disk write protection differently. If an immutable virtual machine is booted, VirtualBox will always create a snapshot where data is written. After shutting down and booting the VM again (a soft reboot is inadequate), the old snapshot will be deleted and a new one created. Consequently, data will not persist in the VM, even if Live-mode is not selected. However, since the data is written to the hard disk of the host (instead of memory), it is easily recoverable. Therefore, selecting Live-mode is essential for safety. A snapshot file is still created, but it will not store any altered content from the VM.
</ref>

Follow these steps:

{{Box|text=
# Power off the VM.
# In the VirtualBox main window, navigate to: <code>File</code> &rarr; <code>Tools</code> &rarr; <code>Virtual Media Manager</code>.

[[File:vbox-livemode1.png|500px]]

# Select the disk to write protect and release it.
# Then on <code>Type</code> &rarr; <code>set it to Immutable</code>.

[[File:vbox-livemode2.png|800px]]

# In the VirtualBox main window, navigate to the settings of the VM.
# Under storage, select the top controller and add the existing hard disk there.
}}

'''2.''' Launch live-mode.

Follow the documentation on the [[Live Mode]] wiki page.

'''3.''' Done.

The process of enabling read-only mode has been completed.
}}

== KVM ==
{{Box|text=
'''1.''' Set the VM disks to read-only.

Follow these steps:

* Power off the machine.
* Set the hard disk to read-only in the virt-manager GUI before booting into live mode.

'''2.''' Launch live-mode.

Follow the documentation on the [[Live Mode]] wiki page.

'''3.''' ''Optional:'' Revert the read-only change.

To boot into normal mode again, revert the change from step 1 and choose the normal boot option in the GRUB menu.

'''4.''' Done.

The process of enabling read-only mode has been completed.
}}

== Qubes ==

<code>grub-live</code> is currently [[unsupported]] on [[Qubes]]. <ref>
Nothing came out from [https://forums.whonix.org/t/whonix-live-mode-amnesia-amnesic-non-persistent-anti-forensics/3894/31 forum discussion].
</ref> This issue is [[unspecific|unspecific to {{project_name_short}}]]. Qubes issue: [https://github.com/QubesOS/qubes-issues/issues/4982 implement live boot by porting grub-live to Qubes - amnesia / non-persistent boot / anti-forensics]

In Qubes, Disposables are a suitable alternative.

= Host Operating System =
This would require a hard drive that comes with a physical read-only switch.

This is [[undocumented]] and [[unspecific|unspecific to {{project_name_short}}]].

= Comparison with Tails =
[[Grub-live#Comparison_between_grub-live_and_Tails|Comparison between grub-live and Tails]]

= Alternative Configurations =
{{mbox
| image   = [[File:Ambox_warning_pn.svg.png|40px]]
| text    =
Platform specific notice.

* [[KVM]]: Skip this section if the [[#KVM|KVM Live-mode]] 
* [[VirtualBox]]: Skip this section if [[#VirtualBox|VirtualBox Live-mode]] configuration steps above have already been completed.
}}

VirtualBox and KVM: [[VM_Live_Mode/ro-mode-init|VM Live Mode: Alternative ro-mode-init Configuration]]

= Footnotes =
{{reflist|close=1}}
[[Category:Documentation]]
{{Footer}}